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Moving  Sensitive  U.S.  Electrons 
Hround  in  a  Coalition  Environment— 


Colonel  Dennis  Treece,  USA 

5th  Signal  Command,  U.S.  Army  Signal  Command 


p-2 


Hs  I  was  finishing  this  article, 
I  had  the  opportunity  to 
visit  with  my  Hungarian 
counterparts  at  the  North 
Atlantic  Treaty  Organization 
(NATO)  Partnership  for  Peace  In¬ 
teroperability  Exercise,  Com¬ 
bined  Endeavor  99.  What  an  eye- 
opener  this  was!  As  the  United 
States  mulls  over  how  to  deal 
safely  with  our  constantly  recur¬ 
ring  Commander,  Joint  Jbsk 
Force  (CJTF)  responsibilities 
within  a  largely  U.S.  context,  our 
future  partners  are  busy  looking 
for  truly  multinational  solutions. 
In  my  opinion,  we  should  be 
moving  faster  in  that  direction 
ourselves.  Because  as  a  super¬ 
power  we  have  traditionally 
taken  on  the  lion's  share  of  these 
efforts,  we  have  understandably 
focused  on  U.S.  solutions  to  the 
problems  we  face.  Combined  En¬ 
deavor  has  been  the  forum  for 
what  will  eventually  yield  an  ex¬ 
plosion  of  data  sharing  among 
nations  such  as  Albania,  Estonia, 
and  the  former  Yugoslav  Repub¬ 
lic  of  Macedonia  and  with  new 
and  old  NATO  members.  I  be¬ 
lieve  we  need  to  take  its  lessons 
to  heart.  This  effort  is  still  in  its 
infancy,  but  clearly,  to  para¬ 
phrase  an  Estonian  sergeant  who 
spoke  to  me,  the  future  success 
of  the  alliance  will  ride  on  a 
backbone  of  fiber-optic  cable, 
carrying  command  and  control 
(C2)  in  the  form  of  e-mail  and 


file  transfers  among  all  the  par¬ 
ticipants. 

This  article  lays  out  one  offi¬ 
cer's  observations  and  views  on 
U.S.  data  sharing  with  our  cur¬ 
rent  and  future  coalition  part¬ 
ners.  Although  our  own  budgets, 
military,  and  experience  are 
larger  than  our  partners',  in  this 
one  respect  the  playing  field  is 
level.  All  nations  have  to  find  a 
way  to  balance  national  security 
concerns  with  any  military  coali¬ 
tion's  needs  to  share  informa¬ 
tion. 


It  s  a  security  thing. 
not  a  hospitality  thing... 

Pressure  to  make  data  sharing 
work  comes  from  our  seniors 
who,  rightly,  expect  to  succeed 
in  their  missions  and  likewise 
expect  every  asset  at  their  dis¬ 
posal  to  support  that  success. 
Usually  we  can,  but  in  the  area 
of  sharing  classified  and  sensi¬ 
tive  information  with  other  na¬ 
tions,  we  bump  into  some  pesky 
U.S.  statutes  and  high-level  Gov¬ 
ernment  policies.  Not  being  pre¬ 
cisely  versed  in  these  statutes, 
commanders  and  staff  officers 
expect  the  comms  or  Intel  guys 
to  "get  a  waiver  or  something”  so 
our  coalition  partners  can  be 
fully  integrated  into  the  U.S.  war 
room  or  operations  center.  In  my 
experience,  most  commanders 
see  this  as  an  operational  ques¬ 
tion,  "Do  we  believe  in  our  part¬ 
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nership  or  don't  we?,”  and  "If  we 
do,  then  let's  get  the  information 
out  on  the  table  so  we  can  win 
this  thing  and  go  home." 

My  own  opinion  is  that  our  se¬ 
niors  simply  feel  that  it's  a  hospi¬ 
tality  thing.  It's  just  too  socially 
awkward  to  tell  that  foreign 
counterpart  he  or  she  has  to 
leave  the  room  so  we  can  discuss 
U.S.  secrets.  Americans,  cultural¬ 
ly  and  emotionally,  simply  find  it 
hard  to  believe  we  would  invite 
foreign  nations  to  share  the  sting 
of  battle  without  sharing  every¬ 
thing  else.  I  heard  it  expressed 
best  one  day  by  one  of  our  gen¬ 
erals:  "We're  an  immigrant  cul¬ 
ture,  and  we  assimilate  others 
well.  We're  just  pleased  as  punch 
when  somebody  comes  to  our 
house  for  supper,  and  we  get  out 
our  best  dishes  to  make  them 
feel  welcome.”  True.  However, 
we  can't  set  the  table  with  fiber¬ 
optic  connections  to  classified 
defense  information  as  readily  as 
we  can  set  out  the  silverware  and 
napkins.  That's  because  it  boils 
down  to  a  security  thing,  not  a 
hospitality  thing. 
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IfuM  you're  doing  is  legal. 
there's  a  legal  man  In  1 L 

In  our  present  "make  it  hap¬ 
pen”  environment,  staffs  are 
often  indirectly  pressured  to  do 
the  wrong  thing  and  hope  for  the 
best.  In  the  coalition  connectivi- 
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tually  comes  back  to  haunt  us. 
To  save  everybody  the  headache 
and  legal  trouble  associated  with 
improperly  transferring  U.S.  in¬ 
formation  to  foreigners,  we  need 
to  get  two  simple  thoughts 
through  everybody's  head— 

IYou  can't  terminate  U.S. -only 
classified  information  in  a 
coalition  office  or  space. 

2  You  can't  connect  U.S.  classi¬ 
fied  networks  to  U.S.  unclassi¬ 
fied  networks. 


OH.  Ms  pieltii  clear — 
but  ham  do  me  flow  111  information 
into  a  coalition  operation? 


Easy,  at  least  in  concept.  The 
best  approach  is,  from  day  1,  to 
establish  a  U.S.  National  Infor¬ 
mation  Center  (USNIC)  as  a  sep¬ 
arate  entity  from  the  coalition 
headquarters.  USNIC  will  be  the 
U.S.  ops  and  intel  hub.  Don't 
make  the  common  mistake  of  es¬ 
tablishing  a  U.S.  headquarters 
with  coalition  members  inside. 
Start  international  and  stay  that 
way,  for  the  coalition  headquar¬ 
ters.  Sure,  some  pain  comes  from 
having  to  remote  some  of  the 
ops  and  intel  tools  you  like  to 
have  close  at  hand.  But  this  is  an 
acceptable  cost  of  doing  business 
and  becomes  less  painful  once 
you  get  used  to  it.  We  were  suc¬ 
cessful  in  Riyadh  with  a  Coali¬ 
tion  Coordination  Center  (CCC) 
nestled  in  the  midst  of  the  U.S. 
ops  and  intel  centers.  This  was  a 
physically  separate  space  but 
near  where  the  U.S.  information 
was  coming  in  and  being 
processed.  As  the  Counterintelli¬ 
gence  Chief  for  U.S.  Central 
Command  (CENTCOM),  I  han¬ 
dled  foreign  disclosure  for  the 
CCC,  and  while  it  was  complex 
at  first,  we  figured  out  a  way  to 


make  disclosure  happen  and  it 
quickly  became  routine.  Our 
procedure  gave  meaning  to  the 
coalition  and  preserved  U.S.  in¬ 
formation  integrity.  Ib  my  per¬ 
sonal  knowledge,  this  approach 
has  also  been  successful  with  the 
Egyptians  during  Bright  Star 
(Friendly  Forces  Coordination 
Center  or  F2C2)  and  is  now  used 
every  day  in  both  Sarajevo  and 
TUzla,  Bosnia-Herzegovina. 

Many  nations  who  are  part  of 
the  United  Nations  (UN)-sanc- 
tioned,  NATO  operations  in  the 
Balkans  have,  in  fact,  established 
their  own  national  information 
centers  to  handle  their  national 
information,  submit  their  nation¬ 
al  reports,  and  deal  with  national 
administrative  matters  that  natu¬ 
rally  arise  in  course  of  daily  op¬ 
erations.  It  just  makes  good 
sense. 

Lihi  everying  else  in  LIFE. 

Ihe  devil  is  in  rhe  details... 

Information  Sharing  101.  First, 
the  security  guys  must  articulate 
what  types  of  information  can  be 
shared  and  with  what  nations. 
The  rules  are  complex  and  not 
for  the  information  management 
(IM)  guys  to  guess  at.  Every 
commander  in  chief  (CINC)  has 
a  foreign  disclosure  shop  in  the 
J2  Directorate,  and  they  publish 
matrices  to  facilitate  these  trans¬ 
fers  from  the  U.S.  joint  task  force 
(JTF)  to  the  coalition.  In  the 
Balkans,  there  are  numerous 
groups,  not  a  single  coalition, 
and  they  have  their  own  distrib¬ 
ution  schemes.  The  largest  con¬ 
sumer  base  is  NATO,  which  is 
easy  to  deal  with  because  the 
United  States  has  been  a  mem¬ 
ber  since  the  beginning  and  we 
have  well-established  "Rel 
NATO"  guidelines.  Some  Euro¬ 
pean  nations  like  Russia,  Swe¬ 
den,  and  Finland  and  a  host  of 


other  national  and  multinational 
entities  involved  in  the  Balkans 
don't  belong  to  NATO  and  yet 
have  missions  in  the  region. 
Finding  a  common  denominator 
for  information  sharing  among 
them  is  challenging  but  not  im¬ 
possible. 

The  really  hard  part,  the 
"Achilles  heel"  of  coalition  infor¬ 
mation  sharing,  is  the  mecha¬ 
nism  by  which  any  nation  trans¬ 
fers  information  outside  its  own 
system.  Success  requires  clear 
policy  on  what  can  be  shared, 
clear  procedures  on  how  to  do  it, 
and  a  well-disciplined  workforce 
that  sticks  to  the  rules.  What  fol¬ 
lows  are  the  methods  I've  seen 
work  well  and  some  of  the  pit- 
falls  associated  with  the  process. 

First,  make  sure  the  material 
is  needed  by  the  coalition,  is 
legally  releasable,  and  is  in  a  re¬ 
leasable  format  (i.e.,  national 
markings  are  removed  and  the 
information  is  clearly  marked  as 
releasable  to  the  coalition).  Once 
that's  done,  it’s  always  a  good 
idea  to  have  a  second  person  re¬ 
view  the  material  before  release. 
When  I  commanded  the  U.S. 
Army  Europe  (USAREUR)  Eche¬ 
lon  Above  Corps  Intelligence 
Center,  then  called  the  (UCIRF), 
our  standard  was  to  have  the 
major  on  the  floor  also  review 
the  material  before  actually 
making  a  transfer.  In  this  busi¬ 
ness  two  sets  of  eyes  are  defi¬ 
nitely  better  than  one,  although 
admittedly  this  step  adds  to  the 
time  the  whole  procedure  takes. 

Second,  drop  the  material 
onto  a  disk  and  "air  gap"  it  via 
"sneaker  net"  from  one  network 
to  another.  Scan  the  disk  for 
viruses,  and  upload  accordingly. 
Sounds  easy,  but  the  first  time 
you  try  to  download  a  moderate¬ 
ly  sized  PowerPoint  briefing  and 
find  it's  too  big  for  the  1.44 
megabyte  (Mb)  floppy  disk,  you 
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will  go  to  your  system  adminis¬ 
trator  for  a  solution.  Unless  you 
thought  ahead,  you  probably  did¬ 
n’t  include  any  robust  zip  drives 
in  the  deployment  kit,  so  what 
do  you  do?  First,  of  course,  you 
should  immediately  order  the 
zip  drives  necessary  to  make  this 
method  work.  (Having  the  zip 
drives  not  only  facilitates  the 
sneaker  net,  but  also  enables 
you  to  make  frequent  backups 
that  will  help  preserve  your  data 
in  case  you  have  to  restore  a  net¬ 
work  following  a  power  surge  or 
outage,  enemy  action,  etc.)  One 
of  the  common  nightmares  in 
the  data  transfer  business  is  an 
information  systems  profession¬ 
albeing  hounded  by  staff  officers 
under  pressure  to  get  the  brief¬ 
ing  onto  the  coalition  network 
“right  now."  When  it's  too  big  for 
the  floppy,  the  standard  (and  il¬ 
legal)  solution  is  to  make  a  direct 
serial  port  connection  between 
the  Secret  Internet  Protocol 
Router  Network  (SIPRNET) 
client  and  the  N.  Level  (unclassi¬ 
fied  but  sensitive)  Internet  Pro¬ 
tocol  Routes  Network  (NIPR- 
NET)  client  so  you  can  transfer 
the  file.  Then,  of  course  another 
file  is  transferred,  and  another, 
and  pretty  soon,  this  connection 
is  seen  as  “normal."  Not  good. 
The  clear  message  here  is  that 
every  organization  needs  a  large- 
capacity  removable  memory  de¬ 
vice.  Our  PX  sells  good  ones  in 
the  1  gigabyte  (Gb)  range  for  less 
than  $200,  easily  within  a  unit's 
supply  budget. 

Thar  mas  the  had  neius. 

The  good  neius? 

There's  light  at  the  end  of  this 
tunnel...  The  way  ahead  is  being 
forged  today  in  the  Balkans. 

An  outstanding  example  of 
Yankee  ingenuity  can  be  found  in 
Multinational  Division  North, 


where  they  have  created  a  coali¬ 
tion  wide  area  network  at  the 
coalition  Secret  level.  This  net¬ 
work  makes  information  avail¬ 
able  to  the  Russians,  as  well  as 
the  Swedes,  and  the  Americans, 
and  the  Brits,  etc.  This  arrange¬ 
ment  also  takes  pressure  off  the 
United  States  to  get  some  sort  of 
automation  onto  the  desktops  of 
key  coalition  commanders  and 
their  staffs.  The  coalition  network 
is  not  connected  in  any  way  with 
U.S.  classified  or  unclassified  net¬ 
works  or  with  the  NATO  net¬ 
works  either.  Only  2  months  old 
at  this  writing,  it  appears  to  be 
working  veiy  well. 

Additional  good  news  is  that 
NATO  has  made  great  strides  in 
its  CRONOS  (SIPRNET  equiva¬ 
lent)  network  that  runs  at  the 
NATO  Secret  level.  From  what 
I've  observed,  CRONOS  e-mail  is 
the  clear  C2  tool  of  choice  for 
NATO,  which  greatly  eases  the 
burdens  on  the  United  States  net¬ 
work  to  provide  the  multinational 
C2  computer  network  and  try  to 
do  it  legally.  This  network  also 
solves  the  problem  of  having 
common  classified  equipment  on 
everyone's  desktop  (at  least  with¬ 
in  NATO).  CRONOS  runs  the  Mi¬ 
crosoft  Office  Suite  that  everyone 
seems  to  be  familiar  with,  and  if 
the  pipe  is  big  enough,  there's  not 
much  you  can't  send  over  this 
system.  There  is  of  course  no 
connectivity  between  CRONOS 
and  any  U.S.  network  or  with  the 
coalition  wide  area  network.  (Air 
gap  works  both  ways  as  long  as 
the  information  is  authorized  for 
release  in  the  direction  you  take 
it.)  The  only  problem  to  sort  out 
here  is  getting  approval  for  a 
CRONOS  circuit  and  then  laying 
it  in— less  than  easy  or  quick  at 
this  point,  but  it  will  get  better  as 
the  staffs  on  the  national  and 
NATO  sides  get  accustomed  to 
taking  these  actions. 


Hai|  Ahead . . . 

Coalition  data  sharing  can  be 
successful  without  jeopardizing 
either  the  success  of  the  coali¬ 
tion  mission  or  our  national  se¬ 
curity,  but  to  make  the  process 
less  painful  we  need  several 

since  the  Wall 

came  down,  it's  ^ 

that  we  don't  fight 
much  any  more  either 
single  service  or  single  nation. 
We've  got  to  make  combined- 
joint  planning  a  given  in  the  data 
sharing  and  network  building 
arena.  So  first,  we  need  to  edu¬ 
cate  our  ops  planners  about  what 
the  coalition  information  infra¬ 
structure  architecture  looks  like 
and  how  it  drives  the  way  the  fa¬ 
cilities  are  laid  out.  The  clearer 
this  connection  is  in  the  minds 
of  the  planners,  the  clearer  it  will 
be  in  the  minds  of  our  comman¬ 
ders,  and  the  less  painful  it  will 
be  to  implement.  When  seen  as  a 
function  of  both  security  and 
(improved)  efficiency,  separate 
U.S.  and  coalition  enclaves  will 
be  more  readily  acceptable  to 
our  commanders.  They  need 
this  clear  understanding,  and 
buy-in,  to  avoid  awkward  mo¬ 
ments  in  the  operations  center. 
If  the  center  was  built  as  a  coali¬ 
tion  facility,  everyone  stays  in 
the  room  when  all  briefings  are 
given,  and  the  battle  rhythm  re¬ 
mains  uninterrupted.  There  are 
no  awkward  moments  when  the 
non-U. S.  personnel  are  asked  to 
leave  because  U.S.-only  informa¬ 
tion  is  to  be  shown.  U.S.  com¬ 
manders  and  staff  of  course  at¬ 
tend  their  separate  U.S. -only 
ops/intel  briefs  at  set  times 
continued  on  page  18 
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Information  Assurance 

Gary  Guissanie 
0ASD(C3l)/lnfrastructure 
and  Information  Assurance 


Two  recent  publications 
offer  guidance  on  applying 
“red  teaming”  to  test  opera¬ 
tional  readiness. 

Red  teaming  responds  to  the 
need  identified  by  the  Defense¬ 
wide  Information  Assurance 
Program  (DIAP)1  to  use  “an  ef¬ 
fective  process  for  routinely  as¬ 
sessing  the  operational  readi¬ 
ness  of  the  Department’s  infor¬ 
mation  systems  and  networks." 
As  independent  assessments, 
red  team  activities  bring  an  im¬ 
partial  perspective  to  bear  on  in¬ 
formation  assurance  (IA)  vul¬ 
nerabilities  that  could  be  ex¬ 
ploited  by  an  adversary. 

Many  Department  of  Defense 
(DoD)  organizations  have  em¬ 
braced  the  concept  of  red  team¬ 
ing  and  taken  steps  to  include 
related  activities  in  their  securi¬ 
ty  assessments.  Red  team 
methodology  has  not  been  stan¬ 
dardized  across  the  Depart¬ 
ment,  however.  One  organiza¬ 
tion  may  have  a  totally  different 
understanding  of  the  term  than 
another.  Consequently,  it  is  dif¬ 
ficult  to  measure  Department 
readiness  or  have  confidence  in 
its  ability  to  deter  an  adversary 
from  exploiting  vulnerabilities. 

To  address  this  need,  the  Of¬ 
fice  of  the  Assistant  Secretary  of 
Defense  for  Command,  Control, 
Communications,  and  Intelli¬ 
gence  (OASD(C3I))  tasked  The 
MITRE  Corporation  to  develop 
an  IA  red  team  methodology. 
The  company  met  with  various 
red  team  organizations  to  cap¬ 
ture  best  practices  and  lessons 
learned,  and  the  methodology 

I'j'r .  i  ..  *.! 


developed  resulted  from  a  col¬ 
laborative  effort  involving  many 
red  team  organizations  within 
the  IA  community. 

The  two  recent  OASD(C3I) 
publications  document  the 
methodology  for  designing,  de¬ 
veloping,  assembling,  and  con¬ 
ducting  red  team  activities.  The 
first,  Defense-Information  As¬ 
surance  Red  Team  Methodology 
(D-IART),  emphasizes 

DoD)needs.  The  second,  Infor¬ 
mation  Assurance  Red  Tfeam 


Handbook,  applies  to  users 
throughout  the  Government. 


By  publicizing  a  well-defined, 
repeatable  process  that  captures 
the  insights  and  expertise  of 
Government  and  industxy  red 
team  specialists,  OASD(C3I) 
seeks  to  ensure  that  all  DoD  red 
team  activities  have  a  consistent 
purpose,  a  common  structure, 


nary,  simulated  opposing  force , 
which ,  after  proper  safeguards  are 
established,  uses  both  active  and 
passive  capabilities  on  a  fonnal, 
time-hounded  tasking  to  expose 
and  exploit  IA  vulnerabilities  of 
fiiendly  forces  as  a  means  to  im¬ 
prove  the  readiness  of  DoD  Com¬ 
ponents . " 

By  this  definition,  IA  red 
team  activities  may  employ 
physical  measures,  social  engi¬ 
neering,  operational  security, 
and  other  resources  to  mount 
various  types  of  attacks.  Al¬ 
though  red  teams  are  essentially 
exploitative,  they  can  adopt  a 
wide  range  of  approaches,  from 
covert,  no-notice  events  to  overt 
training,  for  example,  and  their 
scope  can  vary  dramatically 
from  small-scale  applications, 
such  as  embedded  system  test¬ 
ing,  to  DoD-wide  operations. 

Accordingly,  the  D-IART  pub¬ 
lication  addresses  the  broad 
spectrum  of  attack  types  and  in¬ 
tended  operational  impacts. 
The  methodology  presented  ac¬ 
commodates  both  narrowly  fo¬ 
cused  attacks  and  those  that  en¬ 
compass  the  full  IA  spectrum, 
including  physical,  psychologi¬ 
cal,  and  automated  data  process¬ 
ing  attacks.  The  range  of  intend¬ 
ed  targets  spans  both  limited- 
scope,  single-function  activities 


and  meaningful  and  compara¬ 
ble  results. 

IA  red  team  activities  are  not 
limited  to  computer  network  at¬ 
tacks.  The  DIAP  defines  them 
as— 

"an  independent  and  threat- 
based  effort  by  an  interdiscipli- 


and  broad-ranging  operations 
that  influence  worldwide  U.S. 
military  operations.  The 
methodology  is  designed  with 
enough  flexibility  to  accommo¬ 
date  limited-impact  attacks, 
such  as  notional  attacks,  and 
continued  on  page  8 
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Department  of  Defense  Computer  Emergenci]  Response  Team  Confronts  the  Melissa  Virus 


arly  Friday  evening,  March 
26,  1999,  the  hotline  at  the 
Defense  Information  Sys¬ 
tems  Agency's  (DISA)  De¬ 
partment  of  Defense  Computer 
Emergency  Response  Ifeam 
(DoD  CERT,  formerly  known  as 
the  ASSIST)  received  an  un¬ 
precedented  number  of  tele¬ 
phone  calls  from  anxious  cus¬ 
tomers  ranging  from  local  units 
in  the  Washington,  DC  area  to 
system  administrators  in  Asia. 

During  the  first  half  hour  of 
the  incident,  DoD  CERT,  which 
is  a  component  and  the  techni¬ 
cal  arm  of  the  Joint  Thsk  Force- 
Computer  Network  Defense 
(JTF-CND,  IA  Newsletter,  Win¬ 
ter  98/99),  received  conflicting 
reports.  Comments  varied  from 
"Oh  my  gosh,  I’ve  been  hacked!" 
to  "I  don't  know  what  is  going  on 
with  my  system,  but  it’s  running 
slow... please  help  me!"  After 
quickly  sorting  through  avail¬ 
able  facts,  DoD  CERT  personnel 
realized  they  were  confronting 
the  so-called  Melissa  virus.  They 
took  initial  steps  to  stop  the 
virus  spread,  inform  DoD  intru¬ 
sion  detection  and  virus  experts, 
and  eradicate  the  virus  as  quick¬ 
ly  as  possible. 

DoD  CERT  matured  its  under¬ 
standing  of  the  virus  by  commu¬ 
nicating  with  the  Computer 
Emergency  Response  Tfeam  Co¬ 
ordination  Center  (CERT/CC)  at 
Carnegie  Mellon  and  developing 
a  detailed  analysis  of  the  virus’ 
underlying  Visual  Basic  applica¬ 
tion  code.  Information  from  the 
CERT/CC,  excellent  collabora¬ 
tion  among  the  service  CERI&, 


Used  by  artist  permission.  As  first  seen  in  Federal  Computer  Week . 


Forum  of  Incident  Response 
Support  Tfe am  (FIRST)  members 
around  the  world,  and  open 
source  data  collection  led  the 
DoD  CERT  to  recognize  that  the 
virus  was  affecting  the  entire 
country,  not  just  DoD. 

With  this  knowledge,  the  DoD 
CERT  quickly  took  the  following 
actions: 

•  Sent  an  initial  alert  to  the 
Commanders  in  Chief  (CINC), 
services,  agencies,  DISA 
Regional  CERFs,  and  other 
appropriate  DoD  organiza¬ 
tions  about  the  virus  through 
telephone  calls  and  written 
messages, 

•  Coordinated  actions  and  tech¬ 
nical  recommendations  with 


the  JTF-CND,  the  service/ 
DISA  Regional  CERTs, 
CERT/CC,  and  the  antivirus 
software  vendors.  Although 
DoD  organizations  initially 
differed  in  their  grasp  of  the 
problem,  they  quickly  devel¬ 
oped  a  common  comprehen¬ 
sion, 

•  Collected  information  from 
open  sources, 


•  Provided  Melissa  virus  and 
antivirus  software  informa¬ 
tion  on  the  DoD  CERT 
Nonclassified  Internet 

Protocol  Router  Network 
(NIPRNET)  and  Secret 
Internet  Protocol  Router 
Network  (SIPRNET)  Web 
continued  on  page  8 
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Meeting  the  Melissa  Virus  Head  On 


continued  trow  page  1 

sites,  directed  users  to  the 
sites,  and  continued  to  update 
this  information  throughout 
the  weekend  and  the  follow¬ 
ing  week.  By  early  Saturday 
morning,  the  JTF-CND's  four 
militaiy  service  components 
also  had  virus  information  on 
their  Web  sites. 

•  Delivered  24-hour  technical 
support  throughout  the  week¬ 
end,  answering  numerous 
telephone  calls,  e-mails,  and 
faxes. 

Saturday  afternoon  EST,  after 
initial  advisories  and  phone 
calls,  the  JTF-CND  sent  an  offi¬ 
cial  ''immediate"  AUTODIN 
message  to  its  four  military  ser¬ 
vice  components  (including  the 
service  CERTk)  and  other  DoD 
organizations  to  inform  them 
about  the  widespread  virus  and 
direct  them  to  take  the  appropri¬ 
ate  actions  to  inform  their  em¬ 
ployees  and  stop  the  virus.  This 
step  was  essential  to  protect  the 
Department  from  a  communi¬ 
cation  denial  of  service. 

DoD  users  eagerly  sought  the 
information.  In  fact,  the  number 
of  "hits"  to  the  DoD  CERT  Web 
sites  at  http://www.  cert.mil 
(NIPRNET)  and 

http://assist.disa.smil.mil 
(SIPRNET)  was  300  percent 
greater  than  the  number  gener¬ 
ated  by  its  typical  vulnerability 
bulletin  release.  Customers  not 
only  sought  information  about 
the  virus,  but  also  wanted  to 
download  the  antivirus  software 
signatures  that  eradicated  the 
Melissa  Macro  virus  permanent¬ 
ly.  The  demand  prompted  the 
DoD  CERT  to  reexamine  the  ex¬ 


isting  Web  server  configuration 
and  ensure  that  it  had  enough 
system  resources  to  handle  the 
enormous  number  of  informa¬ 
tion  downloads  during  this  crisis 
and  others. 

The  Web  sites  were  one  of  the 
most  effective  ways  to  dissemi¬ 
nate  timely  information  on 
events  and  countermeasures  to 
such  a  large  community.  As  a 
result  of  this  incident,  DoD 
CERT  recognized  that  continu¬ 
ing  to  educate  the  Department 
about  its  information  reposito¬ 
ries,  like  the  Web  sites,  is  crucial 
to  ensuring  that  DoD  is  pre¬ 
pared  to  face  other  computer  in¬ 
cidents  effectively. 

The  rapid  containment  of  this 
virus  resulted  from  three  key 
factors— 

IThe  Department's  ability  to 
rapidly  blanket  DoD  with  in¬ 
formation  on  the  virus  through 
open  lines  of  communication 
and  data  sharing, 

2  Rapid  response  from  the  an¬ 
tivirus  software  vendors, 

3 Proactive  system  administra¬ 
tors. 

Capt.  Rosas,  USAF,  was  most  recently 
the  Chief,  Daily  Operations,  Information 
Assurance  Officer  at  the  Defense 
Information  System  Agency  (DISA), 
Department  of  Defense  Computer 
Emergency  Response  Ttam  (DoD  CERT) 
in  Arlington,  Virginia  He  received  his  B.S. 
in  Computer  Science  from  McMurry 
University  in  May  1995  and  his  M.S.  in 
Systems  Engineering  from  George  Mason 
University  in  May  1999.  He  may  be 
reached  at  frosasll69@aol.com. 


Red  Teaming 

continued  from  page  8 

fully  functional  attacks  on  oper¬ 
ational  systems. 

Both  D-IART  and  the  hand¬ 
book  outline  the  activities  asso¬ 
ciated  with  the  4  phases  of  red 
teaming:  preplanning,  planning, 
attack,  and  postattack.  In  pre¬ 
planning,  the  red  team  objec¬ 
tives  are  determined  in  relation 
to  the  activity's  goals.  During 
planning,  specific  targets,  attack 
mechanisms,  and  resources  are 
selected,  legal  review  is  per¬ 
formed,  and  permissions  are  ac¬ 
quired.  In  the  attack  phase,  the 
activity  is  conducted.  During 
postattack,  results  are  accumu¬ 
lated,  analyzed,  interpreted,  and 
disseminated. 

Both  publications  are  avail¬ 
able  in  hard  copy  and  on  a  CD 
ROM  that  provides  a  red  team 
tutorial  as  well  as  the  docu¬ 
ments.  D-IAKT  is  available  to 
DoD  and  its  contractors.  The 
handbook  is  available  to  U.S. 
Government  agencies  and  their 
contractors.  To  obtain  a  copy  of 
either  publication,  contact  the 
Information  Assurance  Tech¬ 
nology  Analysis  Center  (IATAC) 
at  (703)  289-5454  or  via  e-mail  at 
iatac@dtic.mil. 

1 .  A  Management  Pmcess  for  a  Defeme- 
wick  Information  Assurance  Program  (DIAP), 
OASD(C3I),  November  15,  1997. 

Gary  Guissanie  is  a  program  analyst 
with  the  Infrastructure  &  Information 
Assurance  Directorate,  OASD(C3I).  A 
retired  Army  Signal  Corps  officer,  he 
received  a  B.S.  in  Physics  from  the 
Polytechnic  Institute  of  Brooklyn  in  1971, 
an  M.S.  in  Systems  Management  from 
Univ  of  So  Calif  in  1975  and  attended  the 
School  of  Information  Warfare  and 
Strategy  at  National  Defense  University 
in  1994/95.  He  may  be  reached  at 
gary.guissanie@osd.pentagon.mil 
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Joint  Vision  2010  (JV2010), 
published  in  July  1996  by  the 
Chairman  of  the  Joint  Chiefs  of 
Staff,  identifies  four  operational 
concepts— dominant  maneuver, 
precision  engagement,  full  di¬ 
mensional  engagement,  and  fo¬ 
cused  logistics.  The  linchpin  of 
these  operational  concepts  is  in¬ 
formation  superiority— the  ca¬ 
pability  to  collect,  process,  and 
disseminate  an  uninterrupted 
flow  of  information,  while  ex¬ 
ploiting  or  denying  an  adver¬ 
sary's  ability  to  do  the  same. 
Without  information  superiori¬ 
ty,  JV2010's  new  concepts  be¬ 
come  little  more  than  the  cur¬ 
rent  operational  concepts  of  ma¬ 
neuver,  strike,  protection,  and 
logistics. 

As  such,  information  assur¬ 
ance  (I A)— information  opera¬ 
tions  (IO)  that  protect  and  de¬ 
fend  information  and  informa¬ 
tion  systems  by  ensuring  their 
availability,  integrity,  authenti¬ 
cation,  confidentiality,  and  non¬ 
repudiation— is  critical  to  the 
success  of  the  new  operational 
concepts  described  in  JV2010. 
However,  the  DoD  cyberspace 
environment  has  demonstrated 
it  has  inherent  vulnerabilities 
that  require  new  thinking  and 
defenses  if  JV2010  is  to  succeed. 

Today's  DoD 

Cyberspace  EnvironmenT 

The  DoD  infrastructure  con¬ 
sists  of  more  than  2.1  million 
computers,  10,000  local  area 
networks,  and  1,000  long  dis¬ 
tance  networks.  More  than  95 


percent  of  DoD's  systems  use 
public  communications  net¬ 
works  available  to  the  general 
public.  These  networks  are  clas¬ 
sified  as  the  global,  national, 
and  defense  information  infra¬ 
structures  (GII,  Nil,  and  DII). 
Although  these  names  imply  in¬ 
dependence,  they  all  use  an  in¬ 
terconnected  transport  medium 
linked  to  public  switches  that 
route  data  between  geographi¬ 
cally  separated  systems.  This 
multitude  of  automated  systems 
allows  DoD  to  command,  con¬ 
trol,  protect,  pay,  supply,  and 
inform  the  force.  JV  2010  drives 
efforts  to  further  interconnect 
these  systems  and  migrate  to  a 
network  centric  environment. 
Yet  as  DoD’s  dependence  on  in¬ 
creasingly  interconnected  infor¬ 
mation  systems  grows,  so  does 
DoD’s  vulnerability. 

Protecting  DoD  Systems 

Is  o  Doily  Bottle 

All  that  is  required  to  attack 
DoD  computers  today  is  a  home 
computer,  access  to  the  Inter¬ 
net,  and  a  little  ingenuity.  Un¬ 
like  the  tools  of  conventional 
warfare,  the  tools  of  this  trade 
require  no  long-term  acquisi¬ 
tion,  training,  and  fielding 
process  to  mount  an  attack.  As 
the  typical  PC  has  become  more 
powerful  and  easier  to  use,  so 
has  the  sophistication  of  the 
weapons  that  information  ad¬ 
versaries  have  at  their  disposal. 
A  comparatively  low  technology 
adversary  with  minimal  fund¬ 
ing,  training,  staffing,  and  de¬ 
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fense  infrastructure  is  capable 
of  employing  these  weapons  on 
short  notice  from  anywhere 
worldwide.  In  this  cyberspace 
environment,  securing  one’s  in¬ 
formation  through  IA  is  critical 
to  successful  military  opera¬ 
tions.  The  IA  process  ensures 
that— 

•  Authorized  users  have  guar¬ 
anteed  access  to  appropriate 
friendly  information  systems 
(availability). 

•  Friendly  information  systems 
are  protected  from  unautho¬ 
rized  change  or  tampering 
(integrity). 

•  Authorized  users  are  verified 
(authentication). 

•  The  information  within  the 
system  is  protected  from 
unauthorized  disclosure  (con¬ 
fidentiality). 

•  Friendly  information  systems 
provide  an  undeniable  record 
of  proof  of  user  participation 
and  transactions  (non-repudi¬ 
ation). 

Any  information  system  or 
process  that  lacks  these  IA  com¬ 
ponents  is  vulnerable  to  adver¬ 
sary  disruption  or  exploitation. 

Join!  Vision  2010 — Only  Ds 
Sima  lls  Its  Weakest  Linb 

Tb  test  DoD  planning  and  cri¬ 
sis  action  capabilities  when 
faced  with  attacks  on  DoD  infor¬ 
mation  infrastructures,  a  no-no¬ 
tice  Joint  Staff  Exercise— ELIGI¬ 
BLE  RECEIVER  (ER)— was  held 
June  9-13,  1997.  This  exercise 


involved  DoD,  Joint  Staff,  the 
Services,  USACOM,  USPACOM, 
USSPACECOM,  USSOCOM,  US- 
TRANSCOM,  NSA,  DISA,  NSC, 
DIA,  CIA,  FBI,  NRO,  and  the 
Departments  of  State,  Justice, 
and  Transportation. 

Key  observations  of  the  exer¬ 
cise  included— 

•  Poor  informational/opera¬ 
tional  security  practices  con¬ 
tributed  to  DoD  vulnerabili¬ 
ties. 

•  Attribution  of  attacks  (i.e., 
determining  who  and  why)  is 
very  difficult. 

•  DoD  has  little  capability  to 
detect  or  assess  cyber  attacks. 

•  Detection,  reporting,  re¬ 
sponse  processes  are  unre¬ 
sponsive  to  the  speed  of  cyber 
attacks. 

ER  '97  demonstrated— in  a 
real-world  exercise— that  DoD  is 
not  properly  organized  for  de¬ 
tecting,  reporting,  and  respond¬ 
ing  to  IO  attacks  in  a  timely 
manner.  A  case  that  recently 
underscored  the  findings  of  ER 
'97  was  SOLAR  SUNRISE. 


itary  action  against  Iraq  in  re¬ 
sponse  to  UN  weapons  inspec¬ 
tion  disputes  and  could  have 
been  aimed  at  disrupting  de¬ 
ployments  and  operations. 

In  the  end,  the  attackers 
turned  out  to  be  two  teenagers 
from  California  and  one  teenag¬ 
er  from  Israel— not  Iraq,  terror¬ 
ists,  foreign  intelligence  ser¬ 
vices,  nation  states,  or  hackers 
for  hire.  Although  the  attacks 
did  not  cause  any  serious  dam¬ 
age  to  DoD  systems,  they  could 
have  severely  affected  DoD  dur¬ 
ing  heightened  tensions  with 
Iraq. 

SOLAR  SUNRISE  recon¬ 
firmed  the  vulnerabilities  of 
DoD  computer  networks  and 
DoD's  need  to  make  some 
changes  in  its  approach  to  LA. 
As  Dr.  John  J.  Hamre,  Deputy 
Secretary  of  Defense,  said,  "this 
should  serve  as  a  serious  wake- 
up  call."  If  high-school 
teenagers  can  infiltrate  DoD 
systems  with  ease,  imagine  the 
damage  that  could  be  done  to 
U.S.  security  by  skilled  profes¬ 
sionals  or  potential  adversaries 
in  future  asymmetric  conflicts. 


H  Real-Worn  Example  of  IR 
Heahnesses — SOLRR  SUNRISE 

SOLAR  SUNRISE  was  a  series 
of  DoD  computer  network  at¬ 
tacks  that  occurred  from  1  to  26 
February  1998.  The  attack  pat¬ 
tern  was  indicative  of  prepara¬ 
tion  for  a  follow-on  attack  on  the 
DII.  At  least  11  attacks  on  Air 
Force,  Navy,  and  Marine  Corps 
computers  worldwide  followed 
the  same  profile.  Attacks  were 
widespread  and  appeared  to  be 
from  sites  such  as  Israel,  the 
United  Arab  Emirates  (UAE), 
France,  Taiwan,  and  Germany. 
Furthermore,  the  attacks  oc¬ 
curred  when  the  United  States 
was  preparing  for  potential  mil- 


Making  JV2010  A  Viable  Concept 

In  1996,  for  the  third  consec¬ 
utive  year,  the  Defense  Science 
Board  (DSB)  concluded  that  a 
need  exists  for  extraordinary  ac¬ 
tion  to  deal  with  the  present  and 
emerging  challenges  of  defend¬ 
ing  against  possible  information 
attacks.  Accordingly,  the  DSB 
recommended  more  than  50  ac¬ 
tions  designed  to  better  prepare 
DoD  for  this  new  form  of  war¬ 
fare. 

Of  the  13  major  DSB  recom¬ 
mendations,  the  author  of  this 
article  believe  five  are  essential 
to  maintaining  the  integrity  of 
DoD  systems  and  providing  an 


appropriate  environment  for  ex¬ 
ecuting  Joint  Vision  2010— 

•  Designate  an  accountable  IO 
focal  point.  The  Secretary  of 
Defense  must  have  a  single 
focal  point  charged  with  pro¬ 
viding  leadership  of  the  com¬ 
plex  activities  and  interrela¬ 
tionships  that  are  involved  in 
this  new  warfare  area. 

•  Organize  for  IO-Defense  (IO- 
D).  Specific  IO-D  capabilities 
and  organizations  must  pro¬ 
vide  or  support  the  capabili¬ 
ties. 

•  Increase  awareness.  Senior- 
level  government  and  indus¬ 
try  leaders  must  be  more 
aware  of  the  vulnerabilities 
and  implications. 

•  Staff  for  success.  A  cadre  of 
high-quality,  trained  profes¬ 
sionals  with  recognized 
career  paths  is  essential  for 
defending  present  and  future 
information  systems. 

•  Provide  the  resources.  DSB 
estimated  achieving  its  13 
imperatives  would  cost 
approximately  $3.1  billion 
over  fiscal  years  1997  through 
2001. 

The  services— in  efforts  to  de¬ 
fend  their  systems  and  process¬ 
es  against  adversarial  action— 
are  fielding  a  wide  variety  of  In¬ 
trusion  Detection  Systems  (IDS) 
unilaterally  setting  detection 
features,  and  reporting  differ¬ 
ently.  The  Army  has  developed 
a  three-phased  Network  Securi¬ 
ty  Improvement  Program 
(NSIP)  to  implement  the  DSB's 
recommendations.  The  Air 
Force  and  Navy  are  developing 
their  own  plans  in  the  absence 
of  a  single  agency  consolidating 
service  efforts.  However,  these 
parochial  efforts,  conducted 
along  service-specific  lines,  are 
not  consistent  with  the  JV2010 
continued  on  page  16 
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n  warfighter  must  rely  on  the 
timeliness,  accuracy,  and 
integrity  of  information  to 
make  effective  decisions. 
Modern  weapon  systems  are 
highly  automated  and  execute 
mission  functions  based  on  in¬ 
formation  provided  by  a  variety 
of  sources.  Automation  is  used 
in  almost  every  operation,  from 
controlling  weapon  system  fire 
to  providing  medical  attention. 
Command  and  control  (C2)  sys¬ 
tems  of  the  modern  battlefield 
rely  heavily  on  current  automa¬ 
tion  products,  enabling  collabo¬ 
rative  activities  among  dispersed 
forces,  electronic  mail  for  the 
transmission  of  data  across  eche¬ 
lons  and  out-of-theater  and 
telecommunication  technolo¬ 
gies  developing  the  seamless  in¬ 
terface  between  the  foxhole  and 
the  high  command.  Any  disrup¬ 
tion  of  this  battlefield  informa¬ 
tion  used  by  commanders  in  fu¬ 
ture  engagements  will  provide 
new  targets  of  opportunity  for 
foreign  attack. 

Developers  of  systems  inter¬ 
facing  to  the  digitized  C2  envi¬ 
ronment  must  provide  informa¬ 
tion  assurance  (IA)  tools  to  meet 
the  expected  information  war¬ 
fare  (IW)  threat.  The  Army's 
Communication  and  Electronic 
Command's  Intelligence  and  In¬ 
formation  Warfare  Directorate 
(I2WD)  provides  data  analysis 
and  testing  to  support  system 
hardening  for  the  future  IW  en¬ 
vironment.  I2WD's  objectives  are 
to  not  only  identify  command, 
control,  communication,  com¬ 
puters,  and  intelligence  (C4I) 
network  and  host-based  vulnera¬ 


bilities  but  also  work  with  the  ap¬ 
propriate  material  developers  to 
resolve  problems  areas. 

I2WD  is  supporting  the  devel¬ 
opment  of  IA  products  for  the 
tactical  environment.  Ttoo  ef¬ 
forts  being  executed  in  1999  are 
the  Command  and  Control  Pro¬ 
tection  Advanced  Technology 
Demonstration  (ATD)  and  the 
supporting  tactical  security  ar¬ 
chitecture  development. 

In  the  first  effort,  the  Com¬ 
mand  and  Control  Protection 
ATD  is  a  research  and  develop¬ 
ment  (R&D)  effort  focused  on 
the  application  of  IA  to  the  Tac¬ 
tical  Internet.  The  Tactical  Inter¬ 
net  is  the  C2  system  being  used 
at  brigade  and  below  for  trans¬ 
mission  of  C2  data,  situation 
awareness,  and  voice.  The  Tacti¬ 
cal  Internet  uses  protocols  simi¬ 
lar  to  commercial  telecommuni¬ 
cation  systems.  I2WD  is  con¬ 
ducting  information  assess¬ 
ments  of  the  Tactical  Internet. 
Evaluations  include  analysis  of 
the  disruption  of  radio  frequen¬ 
cy  (RF)  data  transmission  and 
computer/network  vulnerabili¬ 
ty.  The  analysis  has  been  exe¬ 
cuted  in  both  laboratory  and 
field  tests,  evaluating  the  IA 
state  of  the  current  network  and 
performance  of  R&D  IA  tools. 

In  the  second  effort,  I2WD  is 
supporting  the  development  of 
the  security  architecture  for  di¬ 
vision  level  C2  systems.  These 
systems  are  integrated  in  a  simi¬ 
lar  manner  to  conventional  wide 
area  network  (WAN)  architec¬ 
tures.  The  architecture  relies 
heavily  on  the  commercial  mar¬ 
ketplace  for  network  compo- 
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nents  and  security  features. 
These  systems  have  incorporat¬ 
ed  security  into  the  design  and 
have  integrated  IA  tools  as  part 
of  the  configuration.  I2WD  will 
be  responsible  for  stress  system 
components.  The  stress  test  will 
evaluate  the  adequacy  of  the 
tools  for  the  tactical  environ¬ 
ment  and  the  operator  interac¬ 
tion  required.  The  1999  effort  is 
part  of  an  ongoing  process  to 
evaluate  the  security  of  digitized 
C2  architecture. 

I2WD  supports  these  projects 
by  using  recently  developed  ca¬ 
pabilities  in  computer  network 
analysis  and  leveraging  tradi¬ 
tional  strengths  in  signals  collec¬ 
tion  and  electronic  warfare.  The 
technologies  have  kept  pace 
with  the  maturing  telecommu¬ 
nications  industry.  I2WD  collab¬ 
orates  with  other  outside  agen¬ 
cies,  which  provide  information 
regarding  operational  environ¬ 
ments  and  applicable  emerging 
technologies.  I2WD's  past  expe¬ 
rience  and  knowledge  of  the  en¬ 
vironment  enable  the  execution 
of  vulnerability  analysis  based 
on  realistic  IW  environments. 
The  results  will  alert  material 
developers  to  any  security  risks 
associated  with  their  systems 
and  will  provide  a  basis  for  cor¬ 
rective  action. 


Vincent  Simpson  holds  a  masters 
degree  in  electrical  engineering  and  is  a 
branch  chief  at  the  Communication 
Electronics  Command,  Intelligence  and 
Information  Warfare  Directorate  located  at 
Ft.  Monmouth  His  current  focus  area  is 
performing  telecommunication  systems 
vulnerability  assessments. 
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Contact  Law  En  forcem 

Your  intrusion  policy  document  should  identify 
priate.  law  enforcement  ageriQf'to  contact.  It  Should  a 
tify  circumstances;  that  will  bj^handled  intgpally 
that  parrant  referral1  to  an  duisiegj  agency. 

; ! ;  ■■■-  ■  ''ct 

P'!' '  .$•. 
ijffi  p ’’ 

fsfeT,/  ’T,- 

'  *  ' 
ife 

AM" 


I.  Cor 


valu 
How 
vary 
it  m 
If 

opei|u6j 
trails, 
add  art 
turned  c 
ered 


4.  As" 
man; 

Sf  Designate 

lake  backups  and 

Jn  recording  co| 
Recover  from  th< 

ocument your  act] 

9.  Theorize. 


J  Assemble  t^^'Tnc i dent  Management  Team  Designa* 

.Your  plans., should  idetitlTyr  everyone  on  the  incident  management  team  and  define  their  One  personl 

rolfs  and  responsibilities.  A  typical  team  consists  of —  ...  person  will  be 

•  Manager -~4.eads  the  team,  has  ultimate  responsibility  for  documentation  origin  (e.g.,  tvh 

•,  *.f^|em«^ipjnistrator — Subject  matter  expert  for  system  issues  and  Questions  maintain  the  “c| 

•  AuBit6r4-l3®termines  economic  impact  of  the  crime  or  intrusion.  as  well  as  the 
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Source:  IRIHC  Computer  Forensics:  Tools  &  Methodology  CR/TH.  Mag  12, 1999  c,als as lh- b£ 
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Begin  Recording  Costs  {-j . 
Necessary  to  Recover 
from  the  Incident 

In  criminal  prosecutions,  the  value  of  your  tin 
effort,  as  well  as  direct  costs  for  restoring  the  systf 
be  admissible  during  the  penalty  phase  of  a  trial.  Loss  meins 
more  than  just  loss  of  equipment  and  software.  You  should 
place  appropriate  value  on  information  that  maty  have  been 
stolen,  lost,  or  damaged,  productive  time  lost  on  the  stystem; 
costs  of  alternate  stystems  necessary  lor  day-to-day  opera¬ 
tions  while  the  investigation  is  proceeding,  etc. 


Document  Your 

Activity 

Keep  track  of  everything  you  do.  This 
will  not  only  assist  the  investigator,  but 
may  be  crucial  for  the  prosecutor  during 
trial.  The  general  rule  is.  Mif_you  didn't 
record  it.  it  didn't  happen.” 
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Make  ,f 

Backups  &  fi 
Print  Log 
Files 

This  is  the  beginning  of 
tyour  evidence  collection 
efforts  within  tyour  compro¬ 
mised  system.  The  best  evi¬ 
dence  will  be  an  image  oi 
the  system.  If  this  is  imprac¬ 
tical,  make  a  logical  copy. 
Do  not  copy  the  backup  or 
the  log  files  onto  the  com¬ 
promised  system.  The  inves¬ 
tigator  will  also  need  the 
most  recent  routine  backup. 


e  an  Evidence  Custodian 

I  should  be  in  charge  of  all  evidence  recovered  at  this  stage.  This 
responsible  for  the  information's  security  and  for  documenting  its 
recovered  it,  when  and  where  it  was  recovered).  This  person  will 
hain-ol-custody”  and  will  receive  the  evidence  you  have  gathered, 
peumentation  associated  with  your  initial  efforts  after  discovering 
his  same  person  will  be  a  point  ol  contact  for  law  enforcement  olli- 
gin  their  investigation. 


T  H  E  0  R  I  Z  E  . 

The  system  admiKtrator  and  the  team  assembled 
to  manage  thisJHPknow  more  about  the  system 
than  antyone  gafTity  to  reconstruct  the  crime,  being 
as  open  aMandid  as  possible.  Investigators  will 
need  v^p  technical  expertise  and  tyour  ideas  about 
pfsuch  as: 

Your  theoity  on  how  the  intruder  got  in 
Attacks  on  the  system  in  the  past  (both  success¬ 
ful  and  unsuccessful) 

Unusual  patterns  of  activity  on  the  system 
General  system  vulnerabilities. 
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Using  Operations  Security  Methods 


to  Protect  DoD  Information  Systems 


£  j.  s  the  Department  of  De¬ 
ll*  fense  (DoD)  increases  its 
t  \  reliance  on  commercial 
1  ?•.  off-the-shelf  products  and 
connections  to  public  networks, 
there  is  a  heightened  need  for 
safeguarding  DoD  information. 
Enemies  who  learn  essential  el¬ 
ements  of  friendly  information 
(EEFI)  about  DoD  systems  may 
use  this  knowledge  to  further 
their  economic,  military,  politi¬ 
cal,  or  strategic  objectives.  En¬ 
suring  the  integrity  of  these  sys¬ 
tems  requires  a  comprehensive 
approach  that  incorporates  De¬ 
fensive-Information  Warfare 
(IW-D),  Information  Assurance 
(IA),  and  Operations  Security 
(OPSEC).  This  article  focuses 
on  the  ways  OPSEC— as  a  com¬ 
ponent  of  IW-D  and  IA— can 
prevent  enemy  EEFI  collection. 

Mis  EEFI?1 

_ _  _ _ _ _  _  rj. 

Key  EEFI  data  for  informa¬ 
tion  systems  include— 

•  Individual  system  character¬ 
istics  and  services 

•  Network  characteristics  and 
services 

•  Susceptibilities  of  systems 
and  networks  to  exploitation 

•  Vulnerabilities  of  systems 
and  networks  that  guarantee 
a  successful  attack 

•  Personal  information  on  sys¬ 
tem  administrators,  network 
managers,  and  individual 
users. 

Access  to  such  information 
assists  intruders  in  learning  a 


great  deal  about  individual  sys¬ 
tems  or  networks  before  perpe¬ 
trating  their  attacks. 

EEFI  Collection  Compromises  the 
integrity  of  DoD  Siistems 

Collectively,  EEFI  can  be 
leveraged  by  intruders  to  readi¬ 
ly  identify  the  tools  to  use  in 
exploiting  system  weaknesses. 
To  grasp  how  easy  it  may  be  for 
attackers  to  compromise  a  sys¬ 
tem's  integrity,  consider  the 
following  scenario.  By  default, 
information  systems  "out-of- 
the-box"  turn  on  all  types  of 
services-such  as  the  mail  appli¬ 
cation  program  SendMail,  writ¬ 
ten  by  Eric  Allman.  Although  a 
particular  operating  element 
may  not  require  this  service  for 
completing  its  mission,  certain 
computer  manufacturers  auto¬ 
matically  include  SendMail  in 
their  initial  startup  script  for 
booting  their  systems.  An  inex¬ 
perienced  system  administra¬ 
tor  may  fail  to  check  which  ser¬ 
vices  are  running  and  be  com¬ 
pletely  unaware  that  SendMail 
has  been  installed.  Enemies, 
meanwhile,  may  launch  probes 
or  port  scans  to  determine 
what  network  services  exist. 
Once  these  enemies  learn 
SendMail  is  running,  they  can 
use  numerous  attack  and  ex¬ 
ploitation  scripts  available  in 
the  public  domain  to  interro¬ 
gate  SendMail.  Consequently, 
the  information  system  with 
SendMail  is  vulnerable  to  suc¬ 
cessful  penetration,  even 
though  neither  the  administra- 
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tor  nor  any  user  has  conscious¬ 
ly  done  anything  wrong. 

Korn  OPSEC  Prolecfs  EEFI 

An  effective  OPSEC  program 
includes  regular  reviews  of 
DoD  systems  by  informed  re¬ 
viewers  who  possess  the  tech¬ 
nical  knowledge  to  detect 
breaches  in  security.  Such  a 
program  receives  both  manage¬ 
rial  and  technical  emphasis  to 
ensure  reviews  are  effectively 
conducted.  One  OPSEC  coun¬ 
termeasure-elimination  of  un¬ 
necessary  services —would 
have  prevented  the  scenario 
depicted  above  from  occurring. 
Other  OPSEC  countermeasures 
are  highlighted  as  follow. 

Implement  External  Bloching  of 
Services  at  the  System  Level 

Some  operating  systems  lack 
any  built-in  monitoring  or 
blocking  features.  For  these 
systems,  third-party  solutions 
may  or  may  not  be  available. 
However,  one  possible  software 
solution  for  UNIX  operating 
systems  could  be  to  install 
TCP_wrappers,  written  by  Wi- 
etse  Venema,  which  can  moni¬ 
tor  and  block  incoming  re¬ 
quests  for  network  services, 
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such  as  systat,  finger,  ftp,  tel¬ 
net,  rlogin,  rsh,  exec,  tftp,  and 
talk.  System  administrators  can 
configure  wrapper  programs  to 
support  access  control  for  an 
individual  system,  service,  or 
both.  System  administrators 
can  also  activate  auditing  to 
capture  unsuccessful  attempts 
to  access  "wrapped"  services. 

Conduct  External  BlocHing 
at  the  Individual  Router. 
Gateuiaq.  or  Fireman  Level 

As  stated,  no  assurance  ex¬ 
ists  that  a  system  will  have  the 
built-in  capability  to  block  and 
monitor  services.  There  is  also 
no  guarantee  individual  system 
administrators— even  if  techni¬ 
cally  competent— will  install  a 
program  such  as  TCP_wrappers 
correctly.  As  such,  this  coun¬ 
termeasure, which  in  the  sim¬ 
plest  implementation  might  be 
a  packet-filtering  CISCO  router, 
can  block  exterior  access  to  po¬ 
tentially  vulnerable  TCP/UDP 
services  through  an  Access 
Control  List  (ACL).  A  more  so¬ 
phisticated  implementation 
might  involve  a  bastion-host 
firewall  with  proxy  services 
and  detailed  audit  mechanisms 
to  record  both  successful  and 
unsuccessful  connections.  The 
countermeasure  can  ensure 
uniform  application  of  an  orga¬ 
nization's  access  control  poli¬ 
cies  because  all  information 
systems  behind  the  blocking 
point  are  subject  to  the  identi¬ 
cal  ACL  and  cannot  avoid  this 
filtering  control. 

Establish  R  Comprehensive  Ap¬ 
proach  to  Password  Protection 

With  the  availability  of  pass¬ 
word  "cracking"  or  "guessing" 
programs,  previous  counter¬ 


measures  that  emphasized  dif- 
ficult-to-guess  passwords,  based 
on  composition  and  length,  are 
no  longer  effective.  Today,  the 
following  password  protection 
countermeasures  should  be  en¬ 
forced. 

Protect  all  reusable 
f  passwords  in  transmis- 
A  sion.  Reusable  passwords 
remain  the  DoD's  primary  au¬ 
thentication  mechanism.  Users 
who  connect  remotely  via  a 
network  from  one  system  to 
another  are  subject  to  "sniffing" 
of  their  password  or  having 
their  transmission  intercepted. 
To  prevent  this,  cryptography, 
either  through  hardware,  soft¬ 
ware,  or  both,  should  be  used. 
Adopt  one-time  pass- 
/  words  in  a  software  im- 
/  plementation.  Programs 
such  as  One  Password  in  Every¬ 
thing  (OPIE)  and  S/Key  pro¬ 
vide  this  protection, 
r  Use  smartcard,  token- 
based,  or  biometric  au- 
l  J  thentication  hardware. 
These  devices  have  matured  to 
the  point  where  they  are  attrac¬ 
tive  options.  No  longer  should 
these  devices  be  considered 
"high-tech,  high-cost"  items.  In¬ 
tegration  of  such  technologies 
into  an  overall  OPSEC  program 
is  advisable.  Such  hardware  is 
extremely  reliable  for  identify¬ 
ing  and  authenticating  individu¬ 
als  for  access  to  information  sys¬ 
tems.  Unlike  the  conventional 
password  smartcards  and  bio¬ 
metric  devices,  such  as  retinal 
scanners,  hand  geometry  read¬ 
ers,  and  voice  analyzers,  present 
robust  defenses  against  attack. 
Limit  the  number  of  in¬ 
correct  password  at- 
*  tempts  allowed  and 
maintain  an  audit  record  of 
all  attempts.  The  strength  of 
password-guessing  programs, 


such  as  Crack  and  lOphtcrack, 
demonstrates  the  absolute  ne¬ 
cessity  for  restricting  access  to 
files  and  ensuring  strong  cryp¬ 
tography  of  files.  Limiting  in¬ 
correct  attempts  delays  specific 
types  of  attacks.  Meanwhile,  an 
audit  record  highlights  poten¬ 
tial  attacks  and  indicates  where 
an  authorized  user  is  having  a 
problem  in  establishing  a  legiti¬ 
mate  connection.  This  counter¬ 
measure  helps  administrators 
deny  EEFI  to  an  enemy  and, 
depending  on  the  sophistica¬ 
tion  of  the  record,  may  assist  in 
obtaining  EEFI  on  the  attacker 
(i.e.,  network  address). 

i  Ensure  Proper  Disposal 

of  Paper-Rased  and 
Elecfronic  Media  Files 


A  comprehensive  plan  must 
exist  for  the  protection,  trash 
collection,  and  final  destruc¬ 
tion  of  any  material  that  ad¬ 
dresses  key  elements  of  an  or¬ 
ganization,  including  remov¬ 
able  and  nonremovable  media 
arriving  at  property  disposal. 
This  plan  should  include  policy 
that  enforces  the  need-to-know 
principle  and  addresses  respon¬ 
sibilities  and  procedures  associ¬ 
ated  with  disposing  of  hard¬ 
ware  and  software. 


Educate  Rsers  about 
i  E-Hall  Rishs 


Electronic  mail  (e-mail)  pro¬ 
vides  ample  EEFI  collection  op¬ 
portunities  with  a  low  risk  of 
detection.  The  address  of 
senders  may  be  spoofed,  and 
even  if  the  address  is  not 
spoofed,  the  sender’s  intent  for 
soliciting  information  may  be 
suspect.  An  aggressive  educa¬ 
tion  program  should— 
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•  Alert  users  to  the  risks  of  e- 
mail  collection 

•  Provide  policy  and  training 
on  specific  actions  to  take 
should  an  e-mail  request  EEFI 

•  Ensure  consistent  e-mail 
account  naming  policies  and 
procedures  are  used 

•  Offer  on-line,  user-friendly 
procedures  to  determine  cor¬ 
rect  e-mail  addresses. 

Establish  Written  Policy 
for  Creating  Web  Sites 

The  World  Wide  Web  (WWW) 
is  the  easiest,  most  lucrative 
source  of  collection  for  an 
enemy.  Many  Web  sites  appear 
overnight  in  response  to  man¬ 
agerial  direction  to  immediately 
establish  a  site,  creating  chal¬ 
lenges  for  applying  consistent 
OPSEC  controls. 

Reasonable  written  policy 
should  exist  on  the  approval,  es¬ 
tablishment,  purpose,  registra¬ 
tion,  and  security  testing  of  all 
Web  servers,  including  realistic 
written  policy  on  the  review  of 
all  information  before  its  release 
on  a  Web  server.  Specific  coun¬ 
termeasures  for  limiting  EEFI 
compromises  via  the  Web  in¬ 
clude— 

•  Activate  audit  records  on 
the  Web  server.  Written 
proof  that  certain  addresses 
have  visited  the  site,  viewed 
specific  information,  and  per¬ 
haps  downloaded  material 
provide  essential  information 
for  detecting  suspect  behav¬ 
ior.  Such  records  also  may  jus¬ 
tify  the  cost  associated  with 
creating  and  maintaining  the 
site  by  proving  the  site  is 
actively  visited.  For  a  Web  site 
that  has  imposed  restrictions 
such  as  access  control  lists, 
password  authentication,  and 
token-based  authentication- 


or  one  that  uses  encryption 
for  all  or  certain  connections- 
-an  audit  record  indicates 
activity  that  violates  such 
controls.  This  information, 
along  with  records  from  a 
site's  router,  gateway,  or  fire¬ 
wall  platforms,  provide  sys¬ 
tem  administrators  a  valuable 
overview  of  Web  site  activi¬ 
ties. 

•  Enforce  continuous  pro¬ 
grams  to  identify  "rogue" 
or  unauthorized  servers. 

Periodically  scanning  one's 
networks  to  identify  servers 
for  which  no  official  autho¬ 
rization  exists  is  advisable.  If 
someone  has  violated  written 
policies  regarding  the  estab¬ 
lishment  of  a  Web  site,  then 
an  active  and  an  effective  pro¬ 
gram  must  exist  to  identify 
violators. 

•  Implement  access  control 
lists  at  the  router,  gateway, 
or  firewall  level.  System 
administrators  can  limit  all 
incoming  Web  server  connec¬ 
tions  to  specific  network 
addresses  of  approved  Web 
sites.  Administrators  may 
limit  these  connections  at  the 
router,  gateway,  or  firewall 
level.  Thus,  even  if  an  unau¬ 
thorized  site  appears  within 
the  network,  administrators 
may  be  able  to  deny  outside 
connections.  By  establishing  a 
policy  that  determines  Web 
services  must  run  on  specific 
ports  (typically,  ports  80,  443 
for  secure  Web  connections, 
and  8080)  this  blocking  can  be 
applied. 

Enemies  have  both  the  moti¬ 
vation  and  the  sophisticated 
technologies  to  exploit  informa¬ 
tion  systems,  which  are  appeal¬ 
ing  targets  given  their  wide  dis¬ 
tribution  and  diversity.  In  com¬ 
bination  with  IW-D  and  IA,  how¬ 


ever,  the  OPSEC  countermea¬ 
sures  described  in  this  article 
can  help  deter  EEFI  collection, 
thereby  protecting  DoD  sys¬ 
tems. 


Chris  McDonald  is  with  the  U.S. 
Army  Research  Laboratory,  Survivabil¬ 
ity/Lethality  Analysis  Directorate,  White 
Sands  Missile  Range ,  NM.  He  is  a 
Certified  Information  Systems  Security 
Professional  (CISSP)  and  a  member  of 
ACM,  CSI,  IEEE,  ICSA,  and  ISSA.  He 
may  be  reached  at  cdmcdonald@arl.mil. 
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sophisticated  network  centric 
environment. 

DoD  must  appoint  an  IO  in¬ 
tegrator  for  all  the  services  to 
ensure  synergy  is  achieved,  re¬ 
dundant  parallel  efforts  are 
eliminated,  and  suboptimiza¬ 
tion  is  detected;  otherwise,  effi¬ 
ciencies  will  not  be  realized, 
and  “risks  accepted  by  one,  will 
be  shared  by  all." 

DoD  must  act  now  to  make 
I A  a  top  priority  and  protect  the 
security  of  its  future.  DoD 
needs  more  trained  personnel 
on  DoD  response  teams,  a 
quick  detect/report/ response 
capability,  and  additional  auto¬ 
mated  intrusion  detection  capa¬ 
bilities.  This  can  only  be  ac¬ 
complished  by  increasing  train¬ 
ing,  budgeting  for  success,  ag¬ 
gressively  fixing  our  known  vul¬ 
nerabilities,  and  improving  de¬ 
tect/report/respond  processes. 


Major  Ashley  is  the  Senior  Infor¬ 
mation  Operations  (IO)  Policy  &  Doctrine 
Officer,  Joint  Staff  (J6K).  He  is  the  lead 
joint  staff  officer  for  IA  policy  and  doc¬ 
trine,  IO  education,  training  &  aware¬ 
ness,  Joint  and  CINC  IO  exercises.  Mayjor 
Ashley  may  be  reached  at 
ashleybk@jspentagon.  mil. 
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Face  Recognition  Technology: 

[he  Hey  io  a  More  Secure  Future 


Administrators  and  se- 


followed  trends  and 
deployed,  with  varying 
degrees  of  success,  tools  such 
as  close-circuit  television  cam¬ 
eras,  firewalls,  encryption,  and 
virus  protection  software.  Al¬ 
though  these  tools  have  proven 
somewhat  effective,  they  have 
not  solved  the  issue  of  user  au¬ 
thentication.  In  the  past,  corpo¬ 
rate  information  security  has 
consisted  of  passwords,  person¬ 
al  identification  number  (PIN) 
or  tokens  to  protect  networks 
and  desktops.  In  many  places, 
passwords  are  considered  the 
only  barrier  between  a  hacker 
and  privileged,  proprietary, 
and  networked  information. 
Unfortunately,  passwords  can 
wither  so  easily  that  a  hacker 
can  guess  them  or  so  difficult 
that  they  are  burdensome.  Tb- 
kens  can  be  forgotten,  lost,  or 
stolen.  People  often  keep  their 
cards  at  their  desks  or  acciden¬ 
tally  leave  them  behind  at  the 
terminal  where  anyone  can 
take  them.  With  internal  and 
external  security  on  the  rise, 
many  corporations  are  seeking 
a  solution  that  does  not  involve 
cards,  PINs,  or  passwords. 

Up  until  now,  there  has  not 
been  a  secure,  yet  convenient 
mechanism  with  which  to  iden¬ 
tify  users  and  verify  their  ac¬ 
cess  to  restricted  information. 
With  the  advent  of  biometric 
solutions,  face  recognition  has 
proven  to  be  an  effective,  user- 
friendly  system. 


Face  recognition 
may  be  the  most 
consumer-accepted 
method  in  exis¬ 
tence.  It  is  one  of 
the  few  biometrics 
that  does  not  re¬ 
quire  expensive,  ad- 
ditio nal  hardware . 

By  far  the  easiest 
and  most  intuitive 
technology  to  use,  it 
is  simply  as  easy  as 
having  your  picture 
taken.  The  growth 
of  videoconferenc¬ 
ing  has  propagated  the  use  of 
inexpensive  video  cameras.  A 
growing  percentage  of  corpora¬ 
tions  have  already  attached  the 
cameras  to  their  users'  personal 
computer.  These  corporations 
are  ordering  only  video- 
equipped  monitors.  In  addition, 
because  many  firms  have  a 
video  bias  and/or  database  of 
employee  photos,  face  recogni¬ 
tion  technology  is  an  obvious 
choice  in  many  different  busi¬ 
ness  settings  and  applications. 

Face  recognition  technology 
has  become  increasingly  user- 
friendly.  One  such  product  is 
TrueFace,  by  Miros,  Inc.  With 
TfueFace,  a  person  simply  sits 
down  at  a  desktop  or  laptop, 
and  the  software  "tracks"  the 
person's  face  and  stores  those 
images  into  a  database.  Then, 
when  the  same  person  at¬ 
tempts  to  access  information 
stored  on  the  desktop  or  laptop, 
the  software  will  first  locate  the 
person's  face  in  any  back¬ 
ground  and  then  verify  or  iden¬ 


tify  that  person  from  a  database 
of  faces.  These  products  are  in¬ 
creasingly  intuitive,  allowing 
fast,  simple  access  to  corporate 
networks,  Intranets,  Extranets, 
the  World  Wide  Web  or  build¬ 
ings  and  still  possess  the  core 
technology  to  photograph  any¬ 
one  attempting  to  access  onto 
the  desktop  or  network. 

Especially  fitting  for  the  fi¬ 
nancial  transactions,  govern¬ 
ment  security,  health  care,  and 
electronic  commerce  (e-com¬ 
merce)  markets,  face  recogni¬ 
tion  software  enables  these  in¬ 
dustries  to  conduct  business  ef¬ 
ficiently  and  securely. 

Face  recognition  technology 
applications  include  the  follow¬ 
ing: 

•  Intranet,  extranet  and  inter¬ 
net  access,  where  verifica¬ 
tion  is  used  to  ensure  safe 
transactions  online; 
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•  Physical  security  into  build¬ 
ings  and  restricted  areas, 
where  passwords  or  cards  do 
not  provide  enough  high 
level  security  or  are  too  cost¬ 
ly 

•  Medical  records  manage¬ 
ment  where  the  usage  of 
gloves  prohibits  other  securi¬ 
ty  systems 

•  Corporate  network  data, 
human  resource  records,  and 
financial  information  securi¬ 
ty,  which  allows  not  only 
sensitive  corporate  informa¬ 
tion  to  be  protected  from 
hackers,  but  also  the  capabil¬ 
ity  of  auditing  who  is  access¬ 
ing  what  information 

•  E-commerce,  where  transac¬ 
tions  warrant  feelings  of  con¬ 
fidence  and  privacy  on  the 
customer's  part. 

In  check-cashing  environ¬ 
ments,  face  recognition  has 
been  successful  in  reducing 
fraud. 

One  such  company,  Mr.  Pay¬ 
roll  has  conducted  more  than 
$250  million  in  self  service,  24 
hour  check  cashing  transac¬ 


tions  using  face  recognition 
technology.  This  technology 
further  enabled  them  to  suc¬ 
cessfully  stop  three  check  cash¬ 
ing  fraud  rings. 

Face  recognition  technology 
is  easily  integrated  into  existing 
environments  without  user  re¬ 
sistance  because  it  does  not  re¬ 
quire  people  to  act,  stand,  or 
look  different  from  their  usual 
appearance.  This  hygienic, 
nonintrusive  tool  requires  no 
special  expertise  to  operate. 
Face  recognition  technology 
will  enable  not  only  corporate 
environments  to  feel  safe 
knowing  their  information  and 
surroundings  are  secure,  but 
also  individuals  to  feel  more 
comfortable  conducting  busi¬ 
ness  in  today's  technology-cen¬ 
tric  society. 


Keith  Angell  directs  a  diverse  range  of 
Miros  activities  including  finance,  engi¬ 
neering,  production,  customer  support, 
sales  and  marketing.  He  holds  an  M.B.A. 
in  Finance  from  Louisiana  State 
University  and  a  B.S.  in  Engineering 
form  Duke  University.  Mr.  Angell  has 
authored  and  co-authored  more  than  40 
publications  and  has  presented  at  more 
than  50  technical  conferences.  He  may 
be  reached  at  kangell@miros.com. 


every  day.  Coalition  counterparts 
likewise  find  time  during  the  day 
to  attend  their  own  separate  na¬ 
tional  meetings.  Daily  battle 
rhythm  quickly  accommodates 
these  separate  national  and  coali¬ 
tion  events. 

Second,  we  need  to  plan  re¬ 
sources  for  the  extra  spaces, 
wiring,  and  automation  equip¬ 
ment  that  coalition  operations  re¬ 
quire.  Three  separate  networks 
require  three  sets  of  all  the  pieces 
and  parts  and  people  to  make  that 
happen.  Get  used  to  it.  There  is 
no  acceptable  way  to  merge  them 
in  the  short  term,  anyway,  if  ever. 
Fact  of  life  in  the  business  of  mov¬ 
ing  electrons:  if  you  can  do  busi¬ 
ness  through  it,  you  can  do  mali¬ 
cious  business  through  it.  Fur¬ 
ther,  if  you  can  do  authorized 
business  through  it,  you  can 
make  unintentional  mistakes 
through  it.  Air  gapping  is  likely  to 
be  with  us  for  a  long  time. 

Lastly,  we  need  to  have  stand¬ 
ing  operating  procedures  (SOPs) 
that  describe  in  detail  all  the  "how 
to's,"  and  we  need  to  exercise 
them  often  so  everybody  gets  up 
to  speed  and  stays  there.  The  bet¬ 
ter  we  get  at  doing  this  right,  the 
first  time,  the  better  we  will  be  at 
avoiding  the  “emergency"  solu¬ 
tions  that  get  us  all  in  trouble. 


Col  Treece  is  the  G2  of  5th  Signed 
Command  in  Mannheim,  Germany  and  the 
IA  Program  Manager  for  U.S.  Army 
Europe.  He  has  had  multiple  assignments 
in  coalition  operations,  including  7  years 
assigned  to  NATO  at  SHAPE,  Belgium,  and 
at  AFSOUTH  in  Naples,  Italy.  He  has 
worked  with  Balkans  coalition  information 
sharing  issues  on  and  off  for  a  total  of  6 
years.  He  has  worked  at  the  CINC,  the 
Service  component,  and  the  national  policy 
level  on  classification  and  disclosure  issues. 
treeced@hq.5sigcmd.  army,  mil 
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Public  STINET,  which  pro¬ 
vides  free  access  to  cita¬ 
tions  to  unclassified,  un¬ 
limited  documents  en¬ 
tered  into  DTIC's  technical  re¬ 
ports  collection  since  1985,  has 
been  enhanced  with  the  Ful¬ 
crum  SearchServer™  search  en¬ 
gine  and  a  new  “look  and  feel." 
The  result  is  improved  ease  of 
use,  greater  search  capabilities, 
numerous  new  features,  and 
improved  communications  be¬ 
tween  DTIC  and  our  cus¬ 
tomers. 

The  new  Took  and  feel"  pro¬ 
vides  a  "site  map"  and  a  "find  it" 
feature  which  make  STINET 
easier  to  navigate  and  find  in¬ 
formation.  There  are  numerous 
additional  searchable  databases 
on  STINET  from  other  DTIC 
and  Federal  collections. 

Read  on  to  discover  some  of 
the  new  search  capabilities  and 
features. 

New  Search  Capabilities: 

•  Quick  Search  “An  all  fields 
Quick  Search  of  the  unclassi¬ 
fied,  unlimited  technical 
reports  collection  can  be  con¬ 
ducted  from  the  main 
STINET  page.  The  Quick 
Search  can  also  be  used  for  a 
multi-database  search  on  the 
Scientific  and  Technical 
Documents  page.  Such  data¬ 
bases  as  the  R&D  Descriptive 
Summaries  (RDDS),  the  How 
To  Get  It,  DODISS,  the  DTIC 
Thesaurus,  and  the  Technical 
Reports  Collection  can  be 
searched  simultaneously. 


The  maximum  number  of 
citations  returned  with  this 
search  is  25  per  database 
searched. 

•  Fielded  Search— Searching 
by  specific  field(s)  narrows 
search  results.  Two  fielded 
search  options  are  available. 
The  Simple  Fielded  Search 
allows  you  to  search  by  sever¬ 
al  key  fields.  The  Advanced 
Fielded  Search  allows  you  to 
search  from  selected  fields  in 
the  database. 

•  Proximity  Searching— Pro¬ 
vides  a  method  of  locating 
citations  in  which  the  words 
entered  appear  within  a 
defined  distance  of  each 
other. 

•  Report  Date  Searching- 
Search  for  citations  to  docu¬ 
ments  by  a  specific  date  or 
date  range. 

•  Stop  Words— There  are  no 
stop  words  with  this  new 
search  engine.  All  words  may 
be  used  in  a  search. 

•  Custom  Search  Results— 
Customize  your  search 
results  by  selecting  the  fields 
that  you  want  displayed. 

New  Features: 

•  Enhanced  Help—  Help 
Tbpics  and  Help  icons  are 
available  throughout  STINET 
to  help  you  find  your  way 
around. 


•  Online  Troubleshooting— 

An  Online  Troubleshooting 
capability  has  been  incorpo¬ 
rated  to  enhance  communi¬ 
cations  between  STINET 
staff  members  and  our  cus¬ 
tomers.  This  service  func¬ 
tions  as  a  web-based  elec¬ 
tronic  bulletin  board  with 
capabilities  for  posting  cus¬ 
tomers’  questions  and  DTIC 
responses. 

•  Shopping  Cart— Select  mul¬ 
tiple  items  from  STINET 
search  results  and  send  one 
consolidated  order. 

NOTE:  Only  DTIC  registered 
users  may  order  documents  di¬ 
rectly  from  DTIC. 

STINET  staff  continues  to  lis¬ 
ten  to  our  customers'  needs.  If 
you  have  any  suggestions, 
problems,  or  comments  please 
submit  them  via  the  web  using 
the  following  Comment  Form: 
http://www.dtic.mil/ stinet/hel 
p/report. html. 

If  you  want  to  contact  a 
STINET  representative  direct¬ 
ly,  call  Ms.  June  Doezema  at 
(703)  767-8047/DSN  427-8047 
or  Ms.  Pat  Tillery  at  (703)  767- 
8267/DSN  427-8267;  Email: 

stinet@dtic.mil  or  bcporder@ 
dtic.mil. 

Cooresponding  Enhance¬ 
ments  to  Secure  STINET 
Hill  Folloin  Soon! 
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InferneMtosed  Information  Security 


Master's  Program  to  Start  in  August 


James  Madison  University 
has  announced  an  entirely 
Internet-based  master's 
program  in  computer  sci¬ 
ence  with  concentration  in  in¬ 
formation  security.  Classes 
begin  August  28,  1999.  In 
March  1999  NSA  recognized 
James  Madison  University's 
contributions  to  information 
security  education  by  designat¬ 
ing  JMU  as  a  Center  of  Excel¬ 
lence  in  Information  Assurance 
Education. 

The  program  began  in  Janu¬ 
ary  1997  and  has  drawn  stu¬ 
dents  from  industry  and  busi¬ 
ness,  the  Department  of  De¬ 
fense,  the  MILDEPs,  the  Feder¬ 
al  Reserve  Board,  the  Federal 
Bureau  of  Investigation,  and 
the  National  Security  Agency 
as  well  as  other  agencies. 

According  to  director  Allan 
Berg,  the  program  is  designed 
for  working  professionals  and 
requires  no  physical  time  in  a 
classroom.  Once  every  7 
weeks,  students  take  a  proc- 
tored  exam  at  an  individually 
arranged  location.  Students 
abroad  may  sit  for  exams  at 
U.S.  military  installations 
around  the  world.  Enrolled  stu¬ 
dents  log  into  the  virtual  class¬ 
room  for  Streaming  Audio  over 
PowerPoint  presentations  from 
the  course  professor,  retrieve 
and  complete  assignments,  and 
conduct  discussions  with  the 
professor  and  fellow  students, 
all  in  the  virtual  classroom. 
The  program  is  taught  asyn¬ 
chronously,  meaning  the  pro¬ 
fessor  and  students  do  not  have 
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to  be  on-line  at  the  same  time. 
Berg  says,  "time  zones  and  dis¬ 
tance  have  no  relevance  in 
being  able  to  take  the  program. 
If  you  have  a  good  ISP  you  can 
reach  us,  from  anywhere." 


Prior  to  the  groups  (cohorts) 
that  start  this  August,  students 
were  required  to  spend  the  first 
and  last  Saturday  of  every 
course  in  the  classroom.  The 
first  cohort  of  students  that 
started  January  1997  finished 
the  program  in  March  1999;  a 
NSA  cohort  that  began  the  pro¬ 
gram  in  June  1 997  will  finish  in 
August  1999.  The  two  cohorts 
that  started  August  1998  will 
finish  September  2000.  The  five 
cohorts  that  start  this  August 
will  consist  of  three  open  co¬ 
horts  and  two  federally  funded 
closed  cohorts  and  will  com¬ 
plete  the  program  in  November 
2001. 

The  program  emphasizes  in¬ 
formation  technologies,  admin¬ 
istrative  operations,  and  laws 
and  regulations.  Studies  ad¬ 


dress  information  confidentiali¬ 
ty  and  protection,  risk  manage¬ 
ment,  data  and  system  integri¬ 
ty,  and  authenticity,  network 
security  among  other  topics. 
Classes  focus  on  the  under¬ 
standing,  use  and  management 
of  information  security  con¬ 
cepts,  principles,  methods,  and 
practices,  while  appreciating 
the  differences  in  procedures 
used  by  organizations  ranging 
from  industry,  to  DoD  and 
agencies,  to  private  businesses. 

Students  spend  18-months 
and  earn  30  credits  to  complete 
the  Master  of  Science  in  Com¬ 
puter  Science  with  a  concentra¬ 
tion  in  Information  Security. 
More  time  may  be  necessary 
for  students  who  need  to  take 
prerequisite  courses  to  develop 
or  refresh  the  skills  necessary 
to  complete  the  program. 

The  program  is  aimed  at  stu¬ 
dents  with  an  undergraduate 
degree  who  have  majored  in 
computer  science  or  gained 
technical  experience  with  in¬ 
formation  systems.  Entrants 
take  classes  in  a  required  se¬ 
quence,  taking  7  weeks  to  com¬ 
plete  each  of  the  nine  core 
courses  and  the  capstone  pro¬ 
ject. 

Additional  program  informa¬ 
tion  appears  on  the  web  site  at 
http://www.infosec.jmu.edu. 
Director  Allan  Berg's  telephone 
number  is  540-568-8773  and  his 
E-mail  address  is,  bergax@ 
jmu.edu.  Application  informa¬ 
tion  can  be  obtained  by  calling 
540-568-8772. 
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Subscription  Recounts 

and  Technical  Rrea  Tashs 


Robert  P.  Thompson 
Director,  IATAC 


Subscription  accounts  and 
the  Technical  Area  Task 
(TAT)  program  provide  or¬ 
ganization's  with  an  op¬ 
portunity  to  obtain  value  added 
technical  support  that  exceeds 
those  services  provided 
through  basic  information 
analysis  center  (IAC)  opera¬ 
tions.  These  activities  fall  with¬ 
in  the  scope  of  the  IATAC  mis¬ 
sion  but  are  tailored  to  meet 
the  specific  needs  of  the  re¬ 
questing  activities.  Funding  to 
establish  a  Subscription  Ac¬ 
count  and/or  TAT  is  provided 
by  the  sponsoring  activity. 

Subscription  accounts  per¬ 
mit  Government  and  Non-Gov¬ 
ernment  activities  to  establish 
deposit  accounts  that  may  be 
drawn  upon  to  obtain  a  number 
of  IATAC  services.  These  ser¬ 
vices  include  technical  inquiry 
assistance,  attendance  at 
IATAC-sponsored  conferences, 
meetings,  symposia,  work¬ 
shops,  educational  and  training 


activities,  and  other  IATAC 
products  for  which  fees  may  be 
charged.  Subscription  accounts 
may  be  used  to  support  in¬ 
quiries  processed  on  a  cost  re¬ 
covery  basis,  typically  those  in¬ 
quiries  requiring  between  8  - 
80  hours  to  complete.  These  in¬ 
quiries  are  categorized  as  Ex¬ 
tended  User  Inquiry,  Search 
and  Summary,  and  Review  and 
Analysis.  The  Subscription  Ac¬ 
count  establishes  a  formal  rela¬ 
tionship  between  IATAC  and 
the  sponsoring  activity.  The 
benefit  of  a  Subscription  Ac¬ 
count  is  that  it  provides  users 
with  a  technical  repository  and 
resource  to  draw  upon  in  re¬ 
sponse  to  emerging  informa¬ 
tion  assurance  requirements. 

Technical  Area  Tasks  (TATs) 
facilitate  the  development  of 
scientific  and  technical  infor¬ 
mation  (STI)  as  well  as  the  ex¬ 
tension  and  expansion  thereof, 
to  provide  data  acquisition, 
studies,  analyses,  and  research 


and  development  to  support 
DoD  information  assurance  re¬ 
quirements.  TATs  are  analytical 
and  technical  in  nature  and  the 
actual  scope  and  level  of  effort 
may  vary  depending  upon  the 
requirements  of  the  sponsoring 
activity.  IATAC  TAT  areas  of  ex¬ 
pertise  address  the  broad  spec¬ 
trum  of  information  assurance 
activities.  Furthermore,  IATAC 
TATk  contribute  to  the  growth 
of  the  information  assurance 
(IA)  knowledge-base,  and  pro¬ 
mote  awareness  and  use  of  IA 
resources  by  applying  the  re¬ 
sults  of  previous  IA  investment 
to  current  problems.  As  a  re¬ 
sult,  TATs  contribute  to  in¬ 
creased  efficiencies  and  effec¬ 
tiveness  of  current  DoD  scien¬ 
tific,  technical,  and  operational 
activities. 

For  more  information  on 
subscription  accounts  and  the 
TAT  program,  contact  IATAC  at 
(703)  289-5454  or  via  email  at 
iatac@dtic.mil. 
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Data  Embedding  for 
Information  Assurance 


Provides  an  assessment  of 
the  state-of-the-art  in  data  em¬ 
bedding  technology  and  its  ap¬ 
plication  to  information  assur¬ 
ance.  It  is  particularly  relevant 
to:  information  "providers"  con¬ 
cerned  about  intellectual  prop¬ 
erty  protection  and  access  con¬ 
trol;  information  "consumers" 
who  are  concerned  about  the 
security  and  validation  of  criti¬ 
cal  information;  and  law  en¬ 
forcement,  military,  and  corpo¬ 
rate  organizations  concerned 
about  efforts  to  communicate 
covertly.  The  report  has  been 
specifically  designed  for  read¬ 
ers  who  are  not  experts  in  data 
embedding.  For  those  desiring 
more  in-depth  information,  the 
bibliography  provides  an  exten¬ 
sive  list  of  authoritative  sources 
from  which  the  reader  can  ob¬ 
tain  additional  technical  detail. 
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Compufer  Forensics — 
Tools  and  Methodology 

The  primary  focus  of  this  re¬ 
port  is  a  comparative  analysis 
of  currently  available  software 
tools  that  are  used  in  computer 
forensic  examinations.  For 
readers  who  are  unfamiliar 
with  computer  forensics,  this 
report  provides  a  useful  intro¬ 
duction  to  this  specific  area  of 
science,  and  offers  practical 
high-level  guidance  on  how  to 
respond  to  computer  system  in¬ 
trusions.  For  all  readers,  how¬ 
ever,  this  report  provides  a  use¬ 
ful  analysis  of  specific  prod¬ 
ucts,  including  their  respective 
capabilities,  unique  features, 
cost,  and  associated  vendors. 


ased! 


Biometrics:  Fingerprint 
Identification  Systems 


Focuses  on  fingerprint  bio¬ 
metric  systems  used  in  the  ver¬ 
ification  mode.  Such  systems, 
often  used  to  control  physical 
accqss  to  secure  areas,  also 
allow  system  administrators  ac¬ 
cess  control  to  computer  re¬ 
sources  and  applications.  As  a 
result,  fingerprint  identifica¬ 
tion  systems  have  become  a  vi- 
aljfle  solution  for  security  policy 
enforcement.  Information  pro¬ 
vided  in  this  document  is  of 
Value  to  anyone  desiring  to 
]?earn  about  biometric  systems, 
jthe  contents  are  primarily  in¬ 
tended  to  assist  those  individu¬ 
als  who  are  responsible  for  ef- 
I  fectively  integrating  fingerprint 
|  identification  products  into 
1  their  network  environments  to 
support  the  existing  security 
policies  of  their  respective  or¬ 
ganizations. 
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Symposium  &  Exposition: 
“Securing  the  Futur  e 
Through  Technology” 

Ft.  Bragg,  NC 

Sponsored  by  AFCEA  North 
Carolina  Chapter 
Call  910.483.2221 


HUG 

11-12 

0C1 

8-7 


Space/10  Conference 
Peterson  AFB,  CO 
703.549.1600 

14th  Annual  JVlid-Atiantic 
Intelligence  Symposium 
Johns  Hopkins  Applied 
Physics  Lab,  Laurel,  MD 
http://www.erols.com/afcea 
Call  Ed  Kesselman  (CSC), 
410.691.4077 


OCT  31 

-NOV  3 


MILCOIV1 1999 

Into  the  Next  Millennium- 
Evolution  of  Data  Into 
Knowledge 
Atlantic  City,  NJ 
www.milcoml 999.com 


NOV 

10-19 


TechNet  Asia-Pacific  '99 

Honolulu,  HI 

Call  J.  Spargo  &  Associates 
703.631.6200 


.1 
4Vvr': 


i  1 1 1 


rip 


'  9, 

#■  * L- 


FED 

3-11 


AFCEA  West  2000 

San  Diego  Convention  Center 
San  Diego,  CA 


19-20 


Information  Systems 
Security  Expo  (ISSE)  '99 
Arlington,  VA 

Call  J.  Spargo  &  Associates 
703.631.6200 


OPR 

25-27 


Fiesta  Informacion  2000 

San  Antonio,  TX 

Call  J.  Spargo  &  Associates 

703.631.6200 


20-29 


TechNet  Europe  ‘99 
Renaissance  London 
Heathrow  Hotel 

http://afcea.org/tne99/default.htm 


Information  Assurance  Technology  Analysis  Center 
3190  Fairview  Park  Drive 
Falls  Church,  VA  22042 


